SANS ISC InfoSec Forums

History

On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow for 24 hours in order to increase the awareness of the problem and call for action. Without further spectacular evolutions we will go back to to Green after 24 hours. We will remind our readers on Monday.

This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.

Reason for Yellow

The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.

Actions

We suggest following actions (do them all: a layered approach will work when one of the measures fails):

Update your antivirus software, make sure your vendor has protection for it (*).

(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats. (**): There are currently no reports of side effects on other application when stopping this ActiveX control.